CVE-2022-48919

Source
https://nvd.nist.gov/vuln/detail/CVE-2022-48919
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2022-48919.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2022-48919
Related
Published
2024-08-22T02:15:05Z
Modified
2024-09-18T03:22:40.095073Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

In the Linux kernel, the following vulnerability has been resolved:

cifs: fix double free race when mount fails in cifsgetroot()

When cifsgetroot() fails during cifssmb3domount() we call deactivatelockedsuper() which eventually will call delayedfree() which will free the context. In this situation we should not proceed to enter the out: section in cifssmb3do_mount() and free the same resources a second time.

[Thu Feb 10 12:59:06 2022] BUG: KASAN: use-after-free in rcucblistdequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] Read of size 8 at addr ffff888364f4d110 by task swapper/1/0

[Thu Feb 10 12:59:06 2022] CPU: 1 PID: 0 Comm: swapper/1 Tainted: G OE 5.17.0-rc3+ #4 [Thu Feb 10 12:59:06 2022] Hardware name: Microsoft Corporation Virtual Machine/Virtual Machine, BIOS Hyper-V UEFI Release v4.0 12/17/2019 [Thu Feb 10 12:59:06 2022] Call Trace: [Thu Feb 10 12:59:06 2022] <IRQ> [Thu Feb 10 12:59:06 2022] dumpstacklvl+0x5d/0x78 [Thu Feb 10 12:59:06 2022] printaddressdescription.constprop.0+0x24/0x150 [Thu Feb 10 12:59:06 2022] ? rcucblistdequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] kasanreport.cold+0x7d/0x117 [Thu Feb 10 12:59:06 2022] ? rcucblistdequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] asanload8+0x86/0xa0 [Thu Feb 10 12:59:06 2022] rcucblistdequeue+0x32/0x60 [Thu Feb 10 12:59:06 2022] rcucore+0x547/0xca0 [Thu Feb 10 12:59:06 2022] ? callrcu+0x3c0/0x3c0 [Thu Feb 10 12:59:06 2022] ? _thiscpupreemptcheck+0x13/0x20 [Thu Feb 10 12:59:06 2022] ? lockisheldtype+0xea/0x140 [Thu Feb 10 12:59:06 2022] rcucoresi+0xe/0x10 [Thu Feb 10 12:59:06 2022] _dosoftirq+0x1d4/0x67b [Thu Feb 10 12:59:06 2022] _irqexitrcu+0x100/0x150 [Thu Feb 10 12:59:06 2022] irqexitrcu+0xe/0x30 [Thu Feb 10 12:59:06 2022] sysvechypervstimer0+0x9d/0xc0 ... [Thu Feb 10 12:59:07 2022] Freed by task 58179: [Thu Feb 10 12:59:07 2022] kasansavestack+0x26/0x50 [Thu Feb 10 12:59:07 2022] kasansettrack+0x25/0x30 [Thu Feb 10 12:59:07 2022] kasansetfreeinfo+0x24/0x40 [Thu Feb 10 12:59:07 2022] _kasanslabfree+0x137/0x170 [Thu Feb 10 12:59:07 2022] _kasanslabfree+0x12/0x20 [Thu Feb 10 12:59:07 2022] slabfreefreelisthook+0xb3/0x1d0 [Thu Feb 10 12:59:07 2022] kfree+0xcd/0x520 [Thu Feb 10 12:59:07 2022] cifssmb3domount+0x149/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022] smb3gettree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022] vfsgettree+0x52/0x140 [Thu Feb 10 12:59:07 2022] pathmount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022] _x64sysmount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022] dosyscall64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022] entrySYSCALL64after_hwframe+0x44/0xae

[Thu Feb 10 12:59:07 2022] Last potentially related work creation: [Thu Feb 10 12:59:07 2022] kasansavestack+0x26/0x50 [Thu Feb 10 12:59:07 2022] _kasanrecordauxstack+0xb6/0xc0 [Thu Feb 10 12:59:07 2022] kasanrecordauxstacknoalloc+0xb/0x10 [Thu Feb 10 12:59:07 2022] callrcu+0x76/0x3c0 [Thu Feb 10 12:59:07 2022] cifsumount+0xce/0xe0 [cifs] [Thu Feb 10 12:59:07 2022] cifskillsb+0xc8/0xe0 [cifs] [Thu Feb 10 12:59:07 2022] deactivatelockedsuper+0x5d/0xd0 [Thu Feb 10 12:59:07 2022] cifssmb3domount+0xab9/0xbe0 [cifs] [Thu Feb 10 12:59:07 2022] smb3gettree+0x1a0/0x2e0 [cifs] [Thu Feb 10 12:59:07 2022] vfsgettree+0x52/0x140 [Thu Feb 10 12:59:07 2022] pathmount+0x635/0x10c0 [Thu Feb 10 12:59:07 2022] _x64sysmount+0x1bf/0x210 [Thu Feb 10 12:59:07 2022] dosyscall64+0x5c/0xc0 [Thu Feb 10 12:59:07 2022] entrySYSCALL64after_hwframe+0x44/0xae

References

Affected packages

Debian:11 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.10.106-1

Affected versions

5.*

5.10.46-4
5.10.46-5
5.10.70-1~bpo10+1
5.10.70-1
5.10.84-1
5.10.92-1~bpo10+1
5.10.92-1
5.10.92-2
5.10.103-1~bpo10+1
5.10.103-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / linux

Package

Name
linux
Purl
pkg:deb/debian/linux?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.16.14-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}